Permutation-basedsymmetriccryptography and Keccak · 2013. 3. 22. · Permutation-based symmetric...

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.

Permutation-based symmetric cryptography and Keccak

Permutation-based symmetric cryptographyand Keccak

Joan Daemen1

joint work withGuido Bertoni1, Michaël Peeters2 and Gilles Van Assche1

1STMicroelectronics 2NXP Semiconductors

Ecrypt II, Crypto for 2020, Tenerife, January 22 to 24, 2013

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Mainstream symmetric cryptography

Outline

1 Mainstream symmetric cryptography

2 Permutation-based cryptography

3 On the efficiency of permutation-based cryptography

4 Requirements for the permutation

5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Symmetric crypto: what textbooks and intro’s say

Symmetric cryptographic primitives:

Block ciphersStream ciphers

SynchronousSelf-synchronizing

Hash functionsNon-keyedKeyed: MAC functions

And their modes-of-use

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The hash function cliché

Hash functions:

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The hash function cliché

Hash functions:

But MD5, SHA-1, etc.: just block ciphers in some mode

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



You can do everything with a block cipher

Block encryption: ECB, CBC, …Stream encryption:

synchronous: counter mode, OFB, …self-synchronizing: CFB

MAC computation: CBC-MAC, C-MAC, …

Hashing and its modes HMAC, MGF1, …

Authenticated encryption: OCB, GCM, CCM …

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Seems like this is closer to the truth nowadays

Block cipher:

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Block cipher operation

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Block cipher operation: the inverse

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



When do you need the inverse?

Indicated in red:




MAC computation: CBC-MAC, C-MAC, …Authenticated encryption: OCB, GCM, CCM …

Most schemes with misuse-resistant claims

So for most uses you don’t need the inverse!

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Internals of a typical block cipher

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Hashing use case: Davies-Meyer compression function

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Removing unnecessary diffusion restriction

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Simplifying the view: iterated permutation

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Where can you plug in a permutation?

In all modes but those in red:




MAC computation: CBC-MAC, C-MAC, …

Authenticated encryption: OCB, GCM, CCM …

But also nice opportunity to clean up the modes!

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Permutation-based cryptography

Outline





5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The sponge construction

f: a b-bit permutation with b = r+ cefficiency: processes r bits per call to fsecurity: provably resists generic attacks up to 2c/2

Flexibility in trading rate r for capacity c or vice versa

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



What can we say about sponge security

Proof of security against generic attacks:assuming f has been chosen randomlytight: as sound as theoretically possiblelimitation: inner collisions in c-bit inner part

Security for a specific choice of fsecurity proof is infeasibledesign f with attacks in mindassurance by absence of attacks despite public scrutiny

Security claim: target for attackstight claim: no attacks better than generic attacksHermetic Sponge Strategyweaker claims relax conditions on f

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Regular hashing

Pre-sponge permutation-based hash functionsTruncated permutation as compression function: Snefru[Merkle ’90], FFT-Hash [Schnorr ’90], …MD6 [Rivest et al. 2007]Streaming-mode: Subterranean, Panama, RadioGatún,Grindahl [Knudsen, Rechberger, Thomsen, 2007], …

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Message authentication codes

Pre-sponge (partially) permutation-based MAC function:Pelican-MAC [Daemen, Rijmen 2005]

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Stream encryption

Similar to block cipher modes:Long keystream per IV: like OFBShort keystream per IV: like counter mode

Independent permutation-based stream ciphers: Salsa andChaCha [Bernstein 2007]

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Mask generating function

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Authenticated encryption: MAC generation

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Authenticated encryption: encryption

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Authenticated encryption: just do them both?

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The duplex construction

Object: D = duplex[f,pad, r]

Requesting ℓ-bit output Z = D.duplexing(σ, ℓ)

Generic security provably equivalent to that of sponge

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



SpongeWrap authenticated encryption

Single-pass authenticated encryption

Processes up to r bits per call to f

Functionally similar to (P)helix [Lucks, Muller, Schneier, Whiting,

2004]

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



What textbooks and intro’s should say from now on:-)

Symmetric cryptographic primitives:

Permutations

Block ciphers

Stream ciphersHash functions

Non-keyedKeyed: MAC functions

And their modes-of-use

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


On the efficiency of permutation-based cryptography

Outline





5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Efficiency: working memory required for hashing

Assume security strength c/2Davies-Meyer block cipher based hash (“narrow pipe”)

chaining value (block size): n ≥ cinput block size (key length): typically k ≥ nfeedforward (block size): ntotal state ≥ 3c

Sponge (“huge state”)permutation width: c+ rr can be made arbitrarily small, e.g. 1 bytetotal state ≥ c+ 8

Similar arguments apply to other use cases

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Efficiency: speed of keyed permutation modes

One cryptographic expert’s opinion:

“The sponge construction is a pretty poor way to encrypt. Oneeither gets high-speed but low security or low-speed and highsecurity.”

Keccak showed that sponge can be secure and fast

Not significantly slower than block cipher modesBut very fast dedicated primitives exist for:

MAC computationstream encryption, well at least for long cleartexts

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Boosting keyed permutation modes

1 Keyed modes have higher generic security levelgeneric security strength level c− a instead of c/2with 2a ranging from 1 to the data complexityallows increasing the rate by c/2− a bits

2 Keyed modes seem harder to attackin keyed modes attacker has less powerallows decreasing number of rounds in permutation

3 Introducing functionally optimized constructionsdonkeySponge: MAC computationmonkeyDuplex: nonce-imposing (authenticated) encryption

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Reducing rounds for keyed modes

MD5 hash function [Rivest 1992]

unkeyed: constructing fake certificates [Stevens et al. 2009]keyed: very little progress in 1st pre-image generation

Panama hash and stream cipher [Clapp, Daemen 1998]

unkeyed: instantaneous collisions [Daemen, Van Assche 2007]keyed: stream cipher unbroken till this day

Keccak crypto contest with reduced-round challengesunkeyed: 4-round collisions [Dinur, Dunkelman, Shamir 2012]keyed: pre-image up to 2 rounds only [Morawiecki 2011]

In keyed modes use a permutation with less roundse.g. for Keccak: speedup factor up to 3while still offering a comfortable safety margin

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Introducing functionally optimized constructions

Sponge and duplex are generic modesflexible and multi-purposedo not exploit mode-specific features

MAC computationbefore squeezing adversary has no information about staterelaxes requirements on f during absorbing

Authenticated encryption in presence of noncesnonce can be used to decorrelate computations

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The donkeySponge MAC construction

Usage of full state width b during absorbing, as in[Pelican-MAC]

nabsorb determined by max DP over nabsorb rounds of f

Spectacular speedup especially for small b

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Requirements for the permutation

Outline





5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



Desired cryptographic properties of the permutation

Classical LC/DC criteriaabsence of large differential propagation probabilitiesabsence of large input-output correlationsstudy trail weights and clustering

Immunity tointegral cryptanalysisalgebraic attacksslide and symmetry-exploiting attacks…

Infeasibility of the CICO problem

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The CICO problem

Given partial input and output, determine remaining parts

Important in many attacks

Generalization: multi-target

Pre-image generation in hashing

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.



The CICO problem

Given partial input and output, determine remaining parts

Important in many attacks

Generalization: multi-target

State recovery in stream encryption

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

Outline





5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

Keccak-f: the permutations in Keccak

Operates on 3D state:

x

y zstate

(5× 5)-bit slices

2ℓ-bit lanes

param. 0 ≤ ℓ < 7

Round function with 5 steps:θ: mixing layerρ: inter-slice bit transpositionπ: intra-slice bit transpositionχ: non-linear layerι: round constants

# rounds: 12+ 2ℓ for b = 2ℓ2512 rounds in Keccak-f[25]24 rounds in Keccak-f[1600]

By default: r = 1024, c = 576

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak



x

y zrow

(5× 5)-bit slices

2ℓ-bit lanes

param. 0 ≤ ℓ < 7



By default: r = 1024, c = 576

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak



x

y zcolumn

(5× 5)-bit slices

2ℓ-bit lanes

param. 0 ≤ ℓ < 7



By default: r = 1024, c = 576

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak



x

y zslice

(5× 5)-bit slices

2ℓ-bit lanes

param. 0 ≤ ℓ < 7



By default: r = 1024, c = 576

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak



x

y zlane

(5× 5)-bit slices

2ℓ-bit lanes

param. 0 ≤ ℓ < 7



By default: r = 1024, c = 576

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

The χ non-linear layer

Convolutional transformation rather than S-box

Finding simpler/cheaper would be hard

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

The θ mixing layer

+ =

column parity θ effect

combine

Much cheaper than MDS and still good average diffusionBad worst-case diffusion: kernel

Addressed in bit transpositions ρ and π

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

The θ mixing layer

θ

Much cheaper than MDS and still good average diffusionBad worst-case diffusion: kernel

Addressed in bit transpositions ρ and π

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Keccak

Some distinguishing Keccak features

Strong symmetry enabling different implementationoptions

lane-wise, slice-wisebit interleavingsee [Keccak 1001 ways] and [Keccak implementation overview]

Lightweight mixing and non-linear layersglobal approach instead of local optimization

Different from both ARX and AES-basedrebound/truncated no applicable thanks to weak alignmentno complexity due to carry propagationchallenge: improve trail weight bounds of [Daemen, VanAssche, FSE 2012]

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Conclusions

Outline





5 Keccak

6 Conclusions

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Conclusions

Conclusions

Iterated permutationsare versatile and efficient cryptographic primitivesallow cleaner and more flexible modes

Cryptanalysis of iterated permutationsno more key schedule or message expansionintroducing the CICO problem

Keccak may inspirenew designs: lightweight, weakly aligned, symmetric, …new research: trail weight bound techniques, …new attacks: no assurance without scrutiny!

..........

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

.....

.....

......

.....

......

.....

.....

.


Conclusions

Questions?

Thanks for your attention!

Q?More information on

http://keccak.noekeon.org/http://sponge.noekeon.org/

http://keccak.noekeon.org/

http://sponge.noekeon.org/

Permutation-basedsymmetriccryptography and Keccak · 2013. 3. 22. · Permutation-based symmetric...

Documents

Transcript of Permutation-basedsymmetriccryptography and Keccak · 2013. 3. 22. · Permutation-based symmetric...